On Tuesday 27 February 2007, Grant wrote: > > > > Anyway, a closed port remains closed whether a firewall is > > > > running, or not. > > > > > > I thought the firewall specified which ports to open/close. > > > > Not quite, but we might be running into terminology here. > > > > The app that is listening a port opens the port. This has nothing > > to do with the firewall. The firewall is simply an extra level of > > checks applied before the packet is allowed thorugh the firewall to > > be received by the kernel, in the same way that a bouncer allows or > > disallows the public to enter a club. If the bouncer is off sick, > > the public gets to walk through the door up to reception, assuming > > the club is open for business. > > > > What Mick was referring to is that if a service is running, it's > > still going to listen on it's port whether iptables is running or > > not. So, in the absense of iptables (i.e. your bouncer is off > > sick), you hopefully have a decent password strategy in use by > > whatever is actually listening on the box. > > So as far as incoming connections are concerned, if there are no > listening applications, there is no need for a firewall?
Technically yes. In the real world, it depends. The theory will work if and only if you can absolutely guarantee that no listening service will ever be running behind that firewall, and that this will always be true from here on out till the end of time regardless of who has access to the machine. That's a tall order, and leaves human nature out of it. You might install a listening app and leave it running in error without realising the impact of not having a firewall. Someone else might do the same. Ubuntu takes the approach you just asked about and it mostly works well, especially for notebooks on a LAN behind a NATing gateway. If you are running a network with valuable private information on it, you might well prefer a belts and braces approach of having a mostly-closed firewall as well. As always, the best solution will vary according to what *you* need alan -- Optimists say the glass is half full, Pessimists say the glass is half empty, Developers say wtf is the glass twice as big as it needs to be? Alan McKinnon alan at linuxholdings dot co dot za +27 82, double three seven, one nine three five -- [email protected] mailing list
